Splunk Search

How to search for and display the count of events per sourcetype in a table?

changux
Builder

Hi all.

I have a search that begins with:

index="first" OR index="second" sourcetype=*

I need to show a table with a lot of columns. The first should be the total events in a particular sourcetype (data1). Somebody can suggest please an eval syntax to do that?

Regards.

0 Karma
1 Solution

twinspop
Influencer
index=first OR index=second | stats count by sourcetype | fields count sourcetype

Maybe I'm misunderstanding the question.

EDIT: Second Attempt:

index=first OR index=second | 
stats count by sourcetype field1 field2 field3 | 
eventstats sum(count) as total by sourcetype | 
fields total sourcetype field1 field2 field3

View solution in original post

0 Karma

twinspop
Influencer
index=first OR index=second | stats count by sourcetype | fields count sourcetype

Maybe I'm misunderstanding the question.

EDIT: Second Attempt:

index=first OR index=second | 
stats count by sourcetype field1 field2 field3 | 
eventstats sum(count) as total by sourcetype | 
fields total sourcetype field1 field2 field3
0 Karma

changux
Builder

Thanks. I need something like:

index="first" OR index="second" | table EVENTSCOUNTINSOURCETYPEDATA1, field5, field3
0 Karma

twinspop
Influencer

Maybe second attempt above is what you're after

0 Karma

twinspop
Influencer

Just a point of advice: Don't use wildcards unless absolutely necessary. In this case, it really isn't doing anything for you at all. Without specifying sourcetype=* it will return all sourcetypes. But it's a horrible habit to get into. Wildcards are evil and should be avoided whenever possible.

0 Karma

changux
Builder

Thanks for the advice!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...